Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Carbanak
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Carbanak
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)
ID: S0030
Associated Software: Anunak
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 01 Apr 2021

Associated Software Descriptions
Name Description
Anunak (Citation: Fox-It Anunak Feb 2015) (Citation: FireEye CARBANAK June 2017)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

The Carbanak malware communicates to its command server using HTTP with an encrypted payload.(Citation: Kaspersky Carbanak)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.(Citation: FireEye CARBANAK June 2017)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Carbanak has a command to create a reverse shell.(Citation: FireEye CARBANAK June 2017)
Enterprise T1136 .001 Create Account: Local Account

Carbanak can create a Windows account.(Citation: FireEye CARBANAK June 2017)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Carbanak encodes the message body of HTTP traffic with Base64.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)
Enterprise T1114 .001 Email Collection: Local Email Collection

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.(Citation: FireEye CARBANAK June 2017)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)
Enterprise T1070 .004 Indicator Removal: File Deletion

Carbanak has a command to delete files.(Citation: FireEye CARBANAK June 2017)
Enterprise T1056 .001 Input Capture: Keylogging

Carbanak logs key strokes for configured processes and sends them back to the C2 server.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)
Enterprise T1055 .002 Process Injection: Portable Executable Injection

Carbanak downloads an executable and injects it directly into a new process.(Citation: FireEye CARBANAK June 2017)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.(Citation: FireEye CARBANAK June 2017)

Groups That Use This Software
ID Name References
G0046 FIN7

(Citation: FireEye FIN7 Aug 2018) (Citation: DOJ FIN7 Aug 2018) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FireEye FIN7 March 2017) (Citation: IBM Ransomware Trends September 2020) (Citation: FBI Flash FIN7 USB)

G0008 Carbanak

(Citation: Kaspersky Carbanak)

References

  1. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  2. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  3. Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
  4. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  5. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  6. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  7. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  8. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
  9. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.